MTAT Applied Cryptography

Transcription

1 MTAT Applied Cryptography Smart Cards 2 University of Tartu Spring / 19

2 Security Model Parties involved in smart card based system: Cardholder Data owner Terminal Card issuer Card manufacturer Software manufacturer Smart card threat models: attacks by the terminal against the cardholder attacks by the cardholder against the terminal attacks by the cardholder against the data owner attacks by the cardholder against the issuer attacks by the cardholder against the software manufacturer attacks by the terminal owner against the issuer attacks by the issuer against the cardholder attacks by the (software)manufacturer against the data owner 2 / 19

3 Estonian ID card Used for: Protected RSA private key storage Perform on-card signing/decryption Authorize cryptographic operations (using PIN) Cardholder / Data owner / Terminal / Card issuer / Card manufacturer / Software manufacturer Attacks: by the terminal against the cardholder by the cardholder against the terminal by the cardholder against the data owner by the cardholder against the issuer by the issuer against the cardholder by the (software)manufacturer against the data owner 3 / 19

4 Mobile phones (SIM card) Used for: Store phone book contacts and SMS messages Store settings (operator information) Store 128-bit symmetric subscriber authentication key Perform RUN GSM ALGORITHM Authorize operations (using PIN) Mobile-ID Attacks: by the cardholder against the data owner by the terminal owner against the issuer by the issuer against the cardholder 4 / 19

5 Payments (EMV) EMV stands for Europay, MasterCard and Visa Used for: Store symmetric MAC key Authentication of credit card transactions (using PIN) Attacks: by the terminal against the cardholder by the cardholder against the data owner by the cardholder against the issuer by the terminal owner against the issuer by the issuer against the data owner 5 / 19

6 Other Payment Cards Used for: Store credit value Store account number Attacks: by the cardholder against the terminal by the cardholder against the data owner/issuer 6 / 19

7 Pay TV Used for: TV signal decryption Store channel filters Attacks: by the cardholder against the data owner/issuer by the terminal owner against the issuer 7 / 19

8 Tachograph Used for: Record driving activities Attacks: by the cardholder against the data owner/issuer by the terminal owner against the issuer 8 / 19

9 Attacks Against Smart Cards Side channel attacks: Timing analysis Power analysis EM signal analysis Introducing gliches, faults (voltage, clock rate) Induce bit errors Physical attacks: Chemical etching Chip re-wiring Addition of a track Cutting of a track Countermeasures Metal layers Onboard sensors (temp, light, frequency)... 9 / 19

10 Task 1 Implement utility that performs signing on ID card. $./esteid_sign.py somefile somefile.signature [+] Selected reader: Gemalto PC Twin Reader [+] EstEID v1.1 on MultiOS (DigiID) [=] Signing file somefile [+] Calculated SHA1 digest: e cd7f32184a22190ab c [+] Making DigestInfo object... [+] Sending DigestInfo to smart card for signing... [?] Enter PIN2: [+] Signature saved into somefile.signature $./esteid_getcert.py --cert sign --out sign.pem $ openssl x509 -in sign.pem -pubkey -noout > signpub.pem $ openssl dgst -verify signpub.pem -sha1 -signature somefile.signature somefile Verified OK $ openssl rsautl -certin -inkey sign.pem -in somefile.signature -verify -raw -hexdump ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff-ff ff ff ff ! b 0e a e ^ c d7 f a ab c Tui<..!..!..f.d, 10 / 19

11 Task 1: Signing (spec page 40) SELECT FILE MF/EEEE With MANAGE SECURITY ENVIRONMENT restore security environment #1 With VERIFY verify PIN2 Obtain PIN2 using python s raw input() PIN has to be sent as list of chars [ord(c) for c in pin2] Wrong PIN decreases PIN retry counter (!!!) Succesfully entered PIN resets retry counter If PIN blocks, it can be reset by using PUK (id.ee) If PUK blocks, PINs can be reset in bank or PBGB With PERFORM SECURITY OPERATION compute digital signature (spec page 131) 11 / 19

12 Task 2 Implement utility that performs decryption on ID card. $ echo -n "secret hello to you..." > plain.txt $ openssl rsautl -encrypt -certin -inkey sign.pem -in plain.txt -pkcs -out ciphertext $./esteid_decrypt.py ciphertext [+] Selected reader: Gemalto PC Twin Reader [+] EstEID v1.1 on MultiOS (DigiID) [?] Enter PIN2: [+] Decrypted text: secret hello to you... Decrypting (spec page 48): SELECT FILE MF/EEEE With MANAGE SECURITY ENVIRONMENT restore security environment #6 With MANAGE SECURITY ENVIRONMENT delete reference to auth and sign keys With MANAGE SECURITY ENVIRONMENT tell that we want to decrypt with sign key With VERIFY verify PIN2 With PERFORM SECURITY OPERATION decipher ciphertext (spec page 131) 12 / 19

13 APDU Command Chaining (spec page 115) If the data in APDU is larger than 255 bytes, data must be sent to the card in several blocks. Required for task 2 if your card has 2048-bit RSA keys (data will be 257 bytes (256 bytes ciphertext + 0x00 byte prefix)) Split the data in smaller blocks and send to the card using 0x10 CLA byte (except for the last block). 13 / 19

14 Bonus (+2 points) Provide utilities with --measure argument which measures the time needed to perform 100 operations: $./esteid_decrypt.py ciphertext --measure [+] Selected reader: Gemalto PC Twin Reader [+] EstEID v1.1 on MultiOS (DigiID) [+] Measuring the time required for 100 decryptions... [?] Enter PIN2: [+] Time: $./esteid_sign.py somefile somefile.signature --measure [+] Selected reader: Gemalto PC Twin Reader [+] EstEID v1.1 on MultiOS (DigiID) [=] Signing file somefile [+] Calculated SHA1 digest: e cd7f32184a22190ab c [+] Making DigestInfo object... [+] Measuring the time required for 100 signings... [+] Sending DigestInfo to smart card for signing... [?] Enter PIN2: [+] Time: / 19

15 Bonus (+2 points) Measurement loop must contain only minimum operations required The time can be measured using: import datetime s = datetime.datetime.now() print "[+] Time:", (datetime.datetime.now()-s).total_seconds() Run each experiment 3 times and provide min/max measurement output into esteid sign.out and esteid decrypt.out on your repository Give your educated guess why one operation is faster than the other 15 / 19